networking / vpn / dhcp question

[James W. Long]

Hi All:

Larger networking problem. I'm in the design phase of connecting 135 offices
to
our corporate office.

Each office has 4 win2k workgroup computers networked together.
One of these is special.
I'll call that special one a "remote office server"
{even though its not a server},
and I'll cal the other three
" remote office networked computers".

we want each remote office to establish a full time vpn link
with coprorate. so thats 135 vpn links to corporate.

ultimately we want to be able to get to the files and shares
on the remote office server and the files and the shares on
the remote office networked computers. but lets not
go all the way there just yet.


I think this is a router to router configuration,
where all the security and encryption is between the the routers.

when the "remote office servers" vpn's in to corporate,
they appears on our local lan.

everyone will get addresses by DHCP at corporate

and thats were the dillema begins.

our corporate lan is a 10.0.0.x with a mask of 255.255.255.0
so thats 10.0.0.0/24 I think.

We dont have room in the corporate lan for 135 more clients.

so I was thinking that I might want to go to
a 10.0.0.0./16 or 10.0.x.x with a mask of 255.255.0.0.

this mask would go on all the servers and all the clients
and our vpn/firewall at corporate to give us a {much} larger
address space with which to accomodate the 135 new
vpn clients (plus plus and then some and thats okay)

First question:
Can I get a dhcp server to hand out addresses
like 10.0.0.x up to 10.0.1.135{example)
sequentially? or is that done thru scopes?

can I control what address the remote office servers get?
can I force them to have addresess I choose?

for instance I may prefer office #1 to have
an address such as 10.0.1.x
and office 5 to have an address of 10.0.5.x
and office 120 to an address of 10.0.120.x,
is that possible?

 

[Doug Sherman [MVP]]

1. It is not necessary that the local IP address for the remote 'server' be
on the same subnet as the local LAN. You can configure a RRAS server to
provide IPs from a different address pool and then configure a static route.
This configuration is frequently used to resolve Internet access issues for
client/server VPNs, but it will work in a persistent router to router VPN as
well. See:

http://support.microsoft.com/default.aspx?scid=kb;en-us;317025

2. You can configure any DHCP server to limit its scope to a specific range
of IP addresses (like 10.0.0.x up to 10.0.1.135). However, you do not want
to do this if the range is on the local subnet and the same DHCP server is
going to be servicing clients on the local subnet. What you could do is
exclude the desired 135 IPs from the local DHCP server's scope and configure
the RRAS server (which could be the same machine) to provide IPs from a pool
containing only the 135 addresses. The IPs would more or less be handed out
sequentially.

3. Unless you implement reservations, there is no way in Windows to
effectively control which IP will be leased to a specific machine. However,
Windows does allow you to control IP assignment on a per user basis. So, if
each remote 'server' logs on with a unique user account, you can dictate IP
address - AD Users and Computers - User Account properties - Dial-in tab.

Doug Sherman
MCSE Win2k/NT4.0, MCSA, MCP+I, MVP

 

[Guest]

I didn't see office with 135 lan's but anyway not a big deal. I quess
cleanest way is to create 135 scopes and then do reservation for each of your
"servers". You have to setup router to forward dhcp to HO. Once dhcp servers
sees request originating from remote network it will read network adress part
and handle one address from appropriate scope.
You can do reservation inside each scope for remote server entering remote
servers MAC address and IP.
You do not need to have one big subnet. You can create 135 small subnets
lets say
10.65.1./24 up to 10.65.135./24 for all your remote networks.
I assume you have enough bandwith for this exercise.

 

[Phillip Windell]

Windows does allow you to control IP assignment on a per user basis. So, if
each remote 'server' logs on with a unique user account, you can dictate IP
address - AD Users and Computers - User Account properties - Dial-in tab.

It is a Router-to-Router VPN not a user initiated Remote Access VPN.

 

[Phillip Windell]

First question:
Can I get a dhcp server to hand out addresses
like 10.0.0.x up to 10.0.1.135{example)
sequentially? or is that done thru scopes?

You can, but I wouldn't. I would never make a remote client dependent on a
DHCP Server to get their network configuration when the DHCP Server is on
the other end of a VPN link that *will* be relatively undependable and
*will* periodically go down and leave the remote machines inoperable if they
haven't already gotten their network config before the line went down.

I would either have something to handle DHCP at each site, or would
statically assign the network configuration. Many VPN Devices are also the
Internet NAT Device for the LAN and many of them can be made to serve as a
DHCP Server, since each site has Internet access they would obviously have
something like this already available.

For the same reason each site would have its own Domain Controller (all the
same Domain) and would use "Sites" in active directory to handle replication
over what is considered a slow and undependable link.

Your sites need to maintain some level of autonomy even if the VPN link goes
down.

can I control what address the remote office servers get?
can I force them to have addresess I choose?

Yes. Reservations.

for instance I may prefer office #1 to have
an address such as 10.0.1.x
and office 5 to have an address of 10.0.5.x
and office 120 to an address of 10.0.120.x,
is that possible?

Yes. That is the normal way it is done, with each office being a differnet
subnet. DHCP has a Scope for each subnet (office), the Routers are
configured to forward DHCP Queries to the DHCP Server and will include the
information the DHCP needs to know in order to give an address from the
proper scope. But, as I described above, I would not approach it this way in
the first place.

 

[stuartm]

Most vpn routers also have the ability to provide DHCP addresses - just
assign that site a specific subnet address and then configure the
clients to get their ip addresses from the dhcp server on the router.
That way if the link does go down, you've still got a running network.

 

[Guest]

good point on "whai if dhcp goes down". I had same thoughts before. Should I
have one dhcp server with a 17 scopes or 17 dhcp servers. I you have small
remote networks like this example it is quite enough to leave default lease
period to 8 days. That way even if your server goes down you have enough time
to fix the problem. I found this aproach way easier to handle than to
maintane 17 dhcp servers. Its matter of priorities I guess.

 

[James W. Long]

Dear All:

Ok I need to clarify.
My Corporate Office runs DHCP on an AS400
The 135 remote offices are currently already statically assigned
IP's such as 10.0.0.1, 10,.0.0.2, 10.0.0.3, 10.0.0.4.
(each one looks like that).

Thank you all for the very excellent replies and I am
still digesting all of them but I wanted to add this:

The remote offices will have a VPN router in them.
The 4 machines in each there will either have a static IP of my choosing
or get it from the VPN router at the remote site.

when the 'server' VPN's into our VPN router here at CORP,
it gets ANOTHER IP, thats the VPN IP.

I believe this is the case.
I'm pretty sure thats exactly what Ive seen.

this VPN IP is either DHCP'd in the VPN router itself
or by an RRAS server out of a pool, or
by some other machine running DHCP.

The VPN IP is the IP I was/am concerned
about for the purpose of this discussion

When the VPN IP gets allocated, we want to see
the remote server machine
from our corp network right in network places.
We want to be able to drag and drop files on it.

Thats the idea.

In fact, we want to to remote desktop to
the remote server and control it,
and subsequently get to the files
on the other three remote office computers.

Thanks for all the excellent advice,
James W. Long

 

[Leythos]

good point on "whai if dhcp goes down". I had same thoughts before. Should I
have one dhcp server with a 17 scopes or 17 dhcp servers. I you have small
remote networks like this example it is quite enough to leave default lease
period to 8 days. That way even if your server goes down you have enough time
to fix the problem. I found this aproach way easier to handle than to
maintane 17 dhcp servers. Its matter of priorities I guess.

I have many clients that have many remote offices, we set them up as
follows and have great success with this model:

CORP OFFICE: Firebox III/1000 or higher
Windows 2003/DNS/DHCP
192.168.3.0/24
192.168.4.0/24
DNS Suffix for this connection: ourcompany.lan

Remote office: VPN Router (IPSec to Corp Office)
192.168.128.0/24 (increment 128+ for each new remote office..129,130..)
Router provides DHCP service or we used Fixed IP
DNS 1 - points to Corp DNS server (192.168.3.10)
DNS 2/3 - points to Public DNS servers of ISP
DNS Suffix for this connection: ourcompany.lan
Append these DNS ... ourcompan.lan

All remote offices are part of the ourcompany.lan domain/network.

All offices can reach the corp office.

In the event of a VPN tunnel failure they can still get to the internet
for many things - like Outlook Web Access (if the connection is
available), and still do their online work. When the tunnel comes back
up they can still use the network resources.

We've got this running in about 30 clients locations, which makes for
about 300 remote offices around the globe.

Just make sure that you have quality connections and fixed IP's or the
entire thing is a PITA.

 

[Phillip Windell]

good point on "whai if dhcp goes down". I had same thoughts before. Should I
have one dhcp server with a 17 scopes or 17 dhcp servers. I you have small
remote networks like this example it is quite enough to leave default lease
period to 8 days. That way even if your server goes down you have enough time
to fix the problem. I found this aproach way easier to handle than to
maintane 17 dhcp servers. Its matter of priorities I guess.

What kind of device are they using to provide their Internet connection?
Many of those can do DHCP for the LAN,...it may be doing that already. Then
you would not have anything additional to manage because this thing would
already be inplace.

Since you haven't implemented this yet, how are the sites functioning now?.
Are they running static addresses?,...maybe they could just remain static,
but change the config to match the new design?

 

[James W. Long]

Dear Aurelio:

You look like you know subnetting very well and I dont.
but I'm learning, and trying to.

ok I get 135 small subnets
10.65.1./24 to 10.65.135./24

is that what I need to route
to the offices and get to not only
thier server but thier computers?


I need to be able to reference the 'server' by name,
I would like see a remote server in my network places,
and I need to be able to get to
the remote office computers. if only
by administrative share if thats all I can get

so I need what?
to have 135 routes defined?

tia
James W. Long

 

[Phillip Windell]

Sorry, I got you mixed up with James.

 

[Phillip Windell]

CORP OFFICE: Firebox III/1000 or higher

Yea, Watchgaurd Firebox 1000's is what we use at all the sites.

We've got this running in about 30 clients locations, which makes for
about 300 remote offices around the globe.

Sounds like you are very similar to us. I'm not at the HQ location and have
never heard and exact number of sites because there are sites that are
owned, some partially owned, some with just corp management rights,...its
confusing. the real total number of sites is somewhere above 20 and below
40.

Geographically it runs from Utah(west) to RhodeIsland(east) and from
northern Michigan(north) to Puerto Rico(south).

Just make sure that you have quality connections and fixed IP's or the
entire thing is a PITA.

We used to have Static addresses but now use DHCP. However every site is
autonomous with their own Domains, WINS, DNS, DHCP, etc. The main need for
the connection to HQ is mostly for the use of certain applications used by
Accounting that run via either Citrix or a "web interface".

 

[Leythos]

Yea, Watchgaurd Firebox 1000's is what we use at all the sites.

If you let them, firebox, do the DCVP connections, then it's painless -
just make sure that you create the proper rule sets to allow remote
offices access to the corp office network/nodes - you don't have to
allow them to reach the entire corp network, you can limit it to
specific IP or a range if needed.

Sounds like you are very similar to us. I'm not at the HQ location and have
never heard and exact number of sites because there are sites that are
owned, some partially owned, some with just corp management rights,...its
confusing. the real total number of sites is somewhere above 20 and below
40.

Geographically it runs from Utah(west) to RhodeIsland(east) and from
northern Michigan(north) to Puerto Rico(south).


We used to have Static addresses but now use DHCP. However every site is
autonomous with their own Domains, WINS, DNS, DHCP, etc. The main need for
the connection to HQ is mostly for the use of certain applications used by
Accounting that run via either Citrix or a "web interface".

The fixed IP I was talking about was on the WAN side, not the LAN
systems (except for servers, printers, scanners, etc...).

 

[Phillip Windell]

I need to be able to reference the 'server' by name,
I would like see a remote server in my network places,

Don't count on that working dependably over a slow VPN link. In fact count
on it not working, then on the days it does happen to work you can consider
it a "blessed" day.

Network Places works by Browse Lists that are maintained on Master Browsers
and Domain Master Browsers. It depends on either Netbios broadcasts and/or
WINS. It also requires that all sites be in the same domain, or at least the
workgroup names must match. It can get really ugly. Plan on accessing the
machines by the Run Line or Address Bar with manually typing in the
\\machinename\sharename .

 

[James W. Long]

Dear Phillip:

The remote sites are not currently connected to us at all.
they operate independently..

We are going to use a adsl vpn router at the remote offices,
and either that will give the computers thier IP's
or we will configure them statically. in either case
it will defininately be to match the new design
which I am still working on.

When a vpn connection is made that connection
gets a new IP in addition to the original IP
at least this is what I have seen so far,
and the VPN IP is the one I am interested in
to get to the remote office 'server' and its 'remote computers',
and how it shows up at corporate.

I am trying to make a system that will allow us access
to the office 'server' and computers, from corporate.


Thank you for your input
all advice welcome!

James W. Long

 

[Phillip Windell]

If you let them, firebox, do the DCVP connections, then it's painless -
just make sure that you create the proper rule sets to allow remote
offices access to the corp office network/nodes - you don't have to
allow them to reach the entire corp network, you can limit it to
specific IP or a range if needed.

Well the guy at HQ worries about that,...I stay out of the way. We can
reach all HQ nodes, but jumping beyond them to other sites is somewhat
restricted.

The fixed IP I was talking about was on the WAN side, not the LAN
systems (except for servers, printers, scanners, etc...).

Ah! Ok.

 

[Phillip Windell]

The remote sites are not currently connected to us at all.
they operate independently..

Ok, good. I would recommend keeping as much of that independence as best
you can. Don't make them hopelessly dependent on a VPN link that by nature
is slow and less than dependable.

We are going to use a adsl vpn router at the remote offices,
and either that will give the computers thier IP's
or we will configure them statically. in either case
it will defininately be to match the new design
which I am still working on.

Yes, You want to make sure that each site is a unique subnet or whole
network so that you don't get an addess conflicts.

When a vpn connection is made that connection
gets a new IP in addition to the original IP
at least this is what I have seen so far,

The New IP is inside the VPN tunnel and is relvant to the private LAN and
WAN only. It has no relationship to the current IP that it connects to the
Internet with. Keep them separated in your mind, a lot of people have
problems in that area.

and the VPN IP is the one I am interested in
to get to the remote office 'server' and its 'remote computers',
and how it shows up at corporate.

There really is no such thing as a VPN IP. You only have two kinds, the
private LAN/WAN IP#s that consist of multple networks or subnets and the
have the exteran public IP#s that really aren't relavant.

You would connect to the IP# that the server uses on its own LAN in its own
site. VPN doesn't matter,..VPN simply provides the WAN link between the two
sites and does not go any futher than that. The VPN Devices simply behave as
any other router that is between two subnets. Connecting to that server is
no different than if it was in the same room with you with a regular router
between it and you.

I am trying to make a system that will allow us access
to the office 'server' and computers, from corporate.

That should not be any problem as long as you don't expect Network Places to
display things the same as usual,...it probably won't,...takes work to get
it to do anything,...and may not be worth the trouble. It is not meant to
work well over slow links and is complicated further by having multiple
subnets.

 

[Doug Sherman [MVP]]

The calling router still gets an IP address from the answering router. You
can control this by user account or set the address pool to 1 IP - eg
172.16.100.1 to 172.16.100.2. See:

http://www.microsoft.com/downloads/...8e-f745-4450-b671-aac2c79568eb&DisplayLang=en

Doug Sherman
MCSE Win2k/NT4.0, MCSA, MCP+I, MVP

 

[Phillip Windell]

Ok, I see. I'd probably favor the short address pool method myself.

Thanks Doug!